Forum / NoMachine for Linux / Fail2ban jail
Tagged: fail2ban
- This topic has 4 replies, 2 voices, and was last updated 8 years, 2 months ago by nars.
-
AuthorPosts
-
October 3, 2016 at 07:47 #12549tyParticipant
Hi,
I’m trying out NoMachine on a Ubuntu 16.04.1 system that uses fail2ban and I’m wondering if anyone has successfully configured fail2ban for NoMachine.
I’m learning about fail2ban at the moment however some assistance from someone who has this working would be greatly appreciated.
The 2 scenario’s I’m keen to address are: attempts to connect with incorrect public key, attempts to login after using correct public key.
Remote machine: Ubuntu 16.04.1 desktop (GNOME I think), NoMachine free, latest version
Local machine: OSX El Capitan, NoMachine free, latest version
October 6, 2016 at 09:40 #12603tyParticipantI’m still searching around for anything that might help with this problem. I found this from FreeNX (which I believe is a precursor to NoMachine) at a KDE mailing list in 2011
https://mail.kde.org/pipermail/freenx-knx/2011-May/009301.html
Can anyone shed some light on what the NoMachine log file would have in it when failed authentication occurs? This seems to be the key bit of information to block IP addresses that are attempting to connect too often.
October 7, 2016 at 10:50 #12616narsContributorHello ty,
log entries for NoMachine 5.1.54 free related to failed authentications are listed below.
Logs of failed authentication are stored in /usr/NX/var/log/nxserver.log without enabling any additional debug modes. Just keep log level at 6 what is default.
a) Incorrect login log
2016-10-06 11:54:58 111.214 5478 NXSERVER ERROR! Sending error message ‘NX> 404 ERROR: Wrong password or Login.’
b) Incorrect password log
2016-10-06 12:05:56 953.011 5495 NXSERVER ERROR! Sending error message ‘NX> 404 ERROR: Wrong password or Login.’
c) Incorrect key log
2016-10-06 12:23:04 676.653 5840 NXSERVER ERROR! Sending error message ‘NX> 500 ERROR: Cannot accept public key. ‘
Regards.
October 10, 2016 at 09:25 #12647tyParticipantThanks for the reply nars. I appreciate the help.
Do you happen to know if the logs allow me to find out the IP address where the login attempt originated? It looks like that information isn’t present in the nxserver.log example you have kindly provided.
The idea is to identify the IP addresses of systems that are failing to login and ban them in the firewall for a period of time. Hopefully this will help discourage scripts from trying to brute force the server i.e. fail a few times within an hour and the IP is banned until tomorrow.
October 11, 2016 at 07:24 #12661narsContributorIn the case of incorrect login/password you can find in default mode logs a line like
2016-10-06 11:54:58 110.837 5478 NXSERVER ERROR! wrong ‘nxexec authentication’ for user ‘nomachine1’ from ‘10.0.1.61’.
which unambiguously indicates a problem with logging and contains client IP.
In the case of wrong certificate it is more difficult. There are no log line contains both client IP and information about wrong authentitation. To get it you may activate a server debug log (set “SessionLogLevel 7” in /usr/NX/etc/server.cfg configuration file) and find line informing about client connecting using the same nxserver –login process PID for example by run as root:
PID=
grep -i "ERROR: Cannot accept public key" /usr/NX/var/log/nxserver.log | tail -1 | sed 's/NXSERVER ERROR.*//g' | awk '{ print $NF }'
cat /usr/NX/var/log/nxserver.log | grep “Local IP determined from NX_CONNECTION” | grep $PID | tail -1 | sed ‘s/.*NX_CONNECTION: //g’ | cut -f 1 -d ” “
which returns an client IP adress as result.
Please note that keeping server in debug mode for a long time consumes a lot of disc space.
Regards.
-
AuthorPosts
This topic was marked as solved, you can't post.